SCA: security update for github.com/minio/minio (GHSA-wc79-7x8x-2p58)

high Tenable Cloud Security Plugin ID 421021

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- MinIO is a high performance object storage. Starting in RELEASE.2024-06-06T09-36-42Z and prior to
RELEASE.2025-02-28T09-55-16Z, a bug in evaluating the trust of the SSH key used in an SFTP connection to
MinIO allows authentication bypass and unauthorized data access. On a MinIO server with SFTP access
configured and using LDAP as an external identity provider, MinIO supports SSH key based authentication
for SFTP connections when the user has the `sshPublicKey` attribute set in their LDAP server. The server
trusts the client's key only when the public key is the same as the `sshPublicKey` attribute. Due to the
bug, when the user has no `sshPublicKey` property in LDAP, the server ends up trusting the key allowing
the client to perform any FTP operations allowed by the MinIO access policies associated with the LDAP
user (or any of their groups). Three requirements must be met in order to exploit the vulnerability.
First, the MinIO server must be configured to allow SFTP access and use LDAP as an external identity
provider. Second, the attacker must have knowledge of an LDAP username that does not have the
`sshPublicKey` property set. Third, such an LDAP username or one of their groups must also have some MinIO
access policy configured. When this bug is successfully exploited, the attacker can perform any FTP
operations (i.e. reading, writing, deleting and listing objects) allowed by the access policy associated
with the LDAP user account (and their groups). Version 1.2.0 fixes the issue. (CVE-2025-27414)

See Also

https://github.com/advisories/GHSA-wc79-7x8x-2p58

Plugin Details

Severity: High

ID: 421021

Version: Revision 1.16

Type: Local

Family: SCA Checks

Published: 3/4/2025

Updated: 7/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.86

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2025-27414

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.2

Threat Score: 4.6

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/3/2025

Vulnerability Publication Date: 2/28/2025

Reference Information

CVE: CVE-2025-27414

cwe: CWE-287